backdoor.trojan in svcpack.exe

Discussion in 'malware problems & news' started by tomsbug, Oct 30, 2003.

Thread Status:
Not open for further replies.
  1. tomsbug

    tomsbug Registered Member

    Joined:
    Oct 30, 2003
    Posts:
    1
    Hi I recieved a notification of a virus, ran norton to delete them, and am still getting a notice that the virus is present in system32/svcpack.exe. How can i delete it from this or clean up that virus? Thanks
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi tomsbug,

    Follow these steps, in exactly that order.
    Start your computer in Safe Mode, and find and delete the C:\WINDOWS\system32\svcpack.exe file.
    Next, STILL in Safe Mode (it may help if you print this out...) do the following, in that order:
    Copy the bold text to Notepad, and save as Remove.reg (make sure you save as type 'all files' )
    Doubleclick Remove.reg, and answer yes when asked to add its contents to the Registry.

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlugin]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "SVC Service"= -


    Then boot normally and download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Regards,

    Pieter
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    A little late, but if this is on Windows 2000 or XP, you also need to download and run this vbs file in order to restore the default Windows WinLogon/UserInit registry value data, which will have been hacked by this hijacker: http://www.mjc1.com/files/mo/

    Cheers,
     
Thread Status:
Not open for further replies.